Minikube cert expiration

[Kimi450]

Minikube certs will expire after a year, I dont really know how to fix it. I tried to look into it a while back but it didnt work. Basically after a year of usage, certs expire and you can no longer access teh cluster (data on the host should be fine, but app config will be lost as youll have to reinstall minikube and everything thats on top of it)

[Kimi450]

List of all the certs fount linked to minikube found using the command

# get into minikube
minikube ssh

#find certs
find / -name *crt 2>/dev/null | grep minikube | while read line; do echo ------------- $line -------------; openssl x509 -enddate -noout -in $line; done

/var/lib/minikube/certs/etcd/healthcheck-client.crt
/var/lib/minikube/certs/etcd/ca.crt
/var/lib/minikube/certs/etcd/server.crt
/var/lib/minikube/certs/etcd/peer.crt
/var/lib/minikube/certs/apiserver-etcd-client.crt
/var/lib/minikube/certs/apiserver-kubelet-client.crt
/var/lib/minikube/certs/proxy-client.crt
/var/lib/minikube/certs/proxy-client-ca.crt
/var/lib/minikube/certs/front-proxy-client.crt
/var/lib/minikube/certs/apiserver.crt
/var/lib/minikube/certs/ca.crt
/var/lib/minikube/certs/front-proxy-ca.crt
/minikube-host/.minikube/profiles/minikube/proxy-client.crt
/minikube-host/.minikube/profiles/minikube/client.crt
/minikube-host/.minikube/profiles/minikube/apiserver.crt
/minikube-host/.minikube/proxy-client-ca.crt
/minikube-host/.minikube/ca.crt

The following are set for 10 years in the future:

/minikube-host/.minikube/ca.crt
/minikube-host/.minikube/proxy-client-ca.crt
/var/lib/minikube/certs/etcd/ca.crt
/var/lib/minikube/certs/proxy-client-ca.crt
/var/lib/minikube/certs/front-proxy-ca.crt
/var/lib/minikube/certs/ca.crt

The following are renewed auromtically and utilize the argument passed with --cert-expiration:

/var/lib/minikube/certs/proxy-client.crt
/var/lib/minikube/certs/apiserver.crt
/minikube-host/.minikube/profiles/minikube/proxy-client.crt
/minikube-host/.minikube/profiles/minikube/client.crt
/minikube-host/.minikube/profiles/minikube/apiserver.crt

The following might be the problematic ones as they dont utilize the argument passed with --cert-expiration:

/var/lib/minikube/certs/etcd/healthcheck-client.crt
/var/lib/minikube/certs/etcd/server.crt
/var/lib/minikube/certs/etcd/peer.crt
/var/lib/minikube/certs/apiserver-etcd-client.crt
/var/lib/minikube/certs/apiserver-kubelet-client.crt
/var/lib/minikube/certs/front-proxy-client.crt

Replication

• install minikube
• change system time

  timedatectl
  timedatectl set-ntp no
  
  # some time in the future, more than the end date for the poblematic certs listed above
  timedatectl set-time 2025-04-10
  

• restart minikube

  minikube stop
  minikube start
  

[Kimi450]

Related issues:

• "minikube start" fails on clean environment with "cert expired" problem kubernetes/minikube#13621
• Renew cert on start if current cert has has expired kubernetes/minikube#10122

[Kimi450]

Upstream issue is fixed, so I expect this issue to be fixed now too.